Wilshusen said executive branch agencies, in particular the Department of Homeland Security, need to advance cyber analysis and warning capabilities, acquire sufficient analytical and technical capabilities, develop strategies for hiring and retaining highly qualified cyber analysts and strengthen the effectiveness of the public-private sector partnerships in securing cyber-critical infrastructure. "Shortcomings and challenges associated with the implementation of several of the governmentwide security initiatives limit the initiatives' effectiveness in protecting federal systems," he said.

Executive branch agencies have yet to fully or effectively implement key elements of agency-wide information security programs, an underlying cause for IT security weaknesses, Wilshusen said. Among those programs: assessing risks, developing and implementing cost-effective security safeguards that reduce risk to an acceptable level, periodically testing and evaluating the effectiveness of the safeguards, and mitigating known control deficiencies.

"Until the executive branch agencies implement the hundreds of recommendations made by GAO and agency inspectors general to address cyber challenges, resolve identified deficiencies and fully implement effective security programs," Wilshusen wrote, "a broad array of federal assets and operations will remain at risk of fraud, misuse and disruption, and the nation's most critical federal and private sector infrastructure systems will remain at increased risk of attack from our adversaries."

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;